Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec IKev2,RSA-Cert, PFSense <-> PFSense no NAT failed to bring net tunnel up?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 849 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      beop911
      last edited by

      Hallo Forum,

      after trying several combinations with NAT from Home Office (strong swan OpenSuSE, Sophos, ..) and spending several hours,
      I decided to go back to in my opinion the easiest possible setup (no NAT, both ends pfsense  2.3.2p1 RELEASE, only one Network <-> Network tunnel)

      172.30.21.0/24    PFS_A (official static IP)  <–--> PFS_B (official static IP) 172.30.11.0/24

      means "only"  ;) 172.30.21.0/24 <-> 172.30.11.0/24 tunnel where both A,B have also more such Networks (comes than later ...)

      Setup-Data:
      1.) setup Cert-CA on A + generate Server Cert, generate Client (B) certificate
          put Cert-CA.crt, Cert-B.crt,Cert-B.key on B via import certificate..
      2.) IPSec - Parameter on both ends:
            Key Exchange version:      2 (later for  Home office I need NAT ..)
            Internet Protocols:          ipv4
            Interface:                          WAN
            Remote Gateway            IP-Adress of Peer
            Authentication Method  Mutual RSA
          My identifier                      My IP-Address
          Peer identifier                  Peer IP-Address
          My Certificate                    A (Server Cert), B (Client Cert)
          Peer Certificate Authority  Cert-CA of A
          Phase 1:
          Encryption Algorithm      AES 256Bits
          Hash Algorithm                SHA256
          DH Group                        14(2048)
          Lifetime                            28800
          Disable rekey                  false
          Disable Reauth                false
          Responder Only              A (true), B (false)
          MOBIKE                            disable
          Split connections            false
          Dead Peer Detection      enabled
          Delay                                10
          Max failures                    5
          Phase 2:
          Mode                                Tunnel IPv4
          Local Network                Network A(172.30.21.0/24), B(172.30.11.0/24)
          NAT/BINAT translation none
          Remote Network            Network A(172.30.11.0/24), B(172.30.21.0/24)
          Protocol                          ESP
          Encryption Algorithms  AES 256 Bits
          Hash Algorithms          SHA256
          PFS key group              14(2048)
          Lifetime                          3600
          Advanced settings:      Everything ist disabled except of:
          Configure Unique IDs as Yes
          Auto-exclude LAN addr  true

      So if I starts the tunnel from B the Phase 1 succeeds and B also shows in the GUI that the tunnel (SPD) are setuped ...
      But A shows in their locks, that there are problems see log (reverse odering of lines....)

      Oct 17 15:06:17 charon 04[ENC] <bypasslan|1>generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
      Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>failed to establish CHILD_SA, keeping IKE_SA
      Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>traffic selectors 172.30.21.0/24|/0 === 172.30.11.0/24|/0 inacceptable
      Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
      Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for other:
      Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
      Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for us:
      Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>looking for a child config for 172.30.21.0/24|/0 === 172.30.11.0/24|/0
      Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>maximum IKE_SA lifetime 10510s
      Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>scheduling reauthentication in 9970s
      Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>IKE_SA bypasslan[1] state change: CONNECTING => ESTABLISHED

      And after this, the IKE_SA is not useable at all, but why B shows in the GUI everything is fine ??
      The shown Network 172.30.20.0/24 is also available on A, but nowhere be setuped for this tunnel …

      So for me the "easy" - case doen't work either ... :-[
      Pleas give me some Input to get it work, like it should ..

      Thank you</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.